Three major changes being introduced by the GDPR are tougher penalties for infringements, a duty to report security breaches and a requirement on some organisations to appoint a data protection officer. Siobhan Atkin and Gwynneth Tan report